exploiut-db:
3 K8 {" U/ A7 l3 r" O+ b: W4 m8 i U6 C9 Q* x, q: x
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass% x+ o+ u" |2 o$ m+ H7 K
( S+ R6 i) U I6 O* a/ `
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass- k5 P Z0 I% t$ s2 r0 \
- Credit goes to: Mostafa Azizi, Soroush Dalili5 C7 a( h2 Q/ s% E8 g4 Y: F& J) [
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
6 @" A1 ~' k1 |# b- Description:3 f3 l* W4 Z8 y) G% \/ G7 ^- B
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is3 q/ v: Q1 I$ ]! O E3 ~( M. F8 N
dealing with the duplicate files. As a result, it is possible to bypass
! S' L' x1 F2 q/ e1 ythe protection and upload a file with any extension.5 M N1 j; t' W3 D
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
3 v* A5 r+ h% V" C! _8 J7 s- Solution: Please check the provided reference or the vendor website.2 \4 b3 h* P; |8 S: N
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720 a+ B( v f8 ?1 y
"& f$ y# u" V& V, \
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
$ Q4 ]) m3 H# s4 Q& ~2 kIn “config.asp”, wherever you have:" R9 U7 v" e; m% L. B3 K' l7 g" ]
ConfigAllowedExtensions.Add “File”,”Extensions Here”
0 I/ ~; B1 y* t5 i+ e. `Change it to:
; _% G( b5 ?9 v }. S ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
0 R( z, }; x- p6 ?* n( }7 ]4 G6 X i. ^7 S* l
, J) t/ N! x" J2 F
: ?2 j4 \( F( Q5 }6 U
' ]' \% k# t' s1 x/ n7 K+ I+ W
+ T; ~: o( Q4 p- k3 jphp测试无效9 c( W) l0 ]& M* o0 ?- J, h
asp/aspx测试成功:, ]8 }0 Q) V8 n4 m m, d
来到/FCKeditor/editor/filemanager/connectors/test.html& J2 i: r* c E. ]5 x5 @
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
2 j8 E) ^# `2 d5 W) G, ]. {5 W( q5 a, v: T' i- ~$ k1 O* y
burpsuite上传包并修改,repeater
& C4 M" O1 L2 `; L名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp4 h2 T+ T L/ [+ M5 _4 J
. r2 I' i! [3 o4 U8 c2 W, I& g
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
2 A0 H- L- b( G( G `( d9 |7 J2 `7 T/ h$ ?
|
发表于 2012-12-10 10:18:50
收藏
支持
反对